b'          AUDIT REPORT \n\nNATIONAL MUSEUM OF THE AMERICAN INDIAN \n\n         INFORMATION SYSTEMS \n\n\n               Number A-02-06 \n\n\n               January17,2003 \n\n\n\n\n\n0       Srnithsonian Institution \n\n          Office of Inspector General \n\n\x0c                                        SUMMARY\n\nThe Office of the Inspector General audited information system security at the National\nMuseum of the American Indian (NMAI). With the opening of the new Mall Museum\napproaching, NMAI requested a comprehensive review of its information security\nprogram. The purpose of the audit was to evaluate information system controls regarding\nserver and network security, application developments, service continuity, segregation of\nduties, and physical conditions.\n\nThe following points were considerations throughout our audit: Adequate security of\ninformation and the systems that process it is a fundamental management responsibility.\nOf necessity, management must strike a reasonable balance between information\ntechnology security and operational capability because some controls impede operations.\n\nOverall, NMAI did have some system security controls in place regarding system backup,\nsystems audit trails and server password security features operating. However, we\ndetermined that NMAI system security configurations and safeguards were inadequate\nand the risk to system access and data integrity was high. During our audit, NMAI\nmanagement made some system account reviews and changes and began reviewing\nconfiguration deficiencies identified during the audit. It is Smithsonian policy, as well as\ngood business practice, that controls be established to maintain accountability for the\ncustody and use of resources and to provide reasonable assurance that assets are\nsafeguarded against loss or unauthorized use. Therefore, we made 24 recommendations\nto improve systems security and general system controls at NMAI and 2\nrecommendations to the Smithsonian Institution Chief Information Officer. The\nrecommendations to NMAI include:\n\n       developing and implementing technical industry guidance for server and client\n       configuration settings;\n       defining technology positions to include system security responsibilities;\n       reviewing the current system configurations and making adjustments deemed\n       necessary to enhance system security;\n       defining an NMAI sponsor and formally defining a development implementation\n       team for the collection management system, media information management, and\n       contact management system; and\n       assigning contract oversight responsibilities for evaluating technical changes to\n       qualified information technology staff.\n\nThe two recommendations to the Chief Information Officer include:\n      issuing policies and guidance on the use of peer-to-peer technology for the\n      Institution; and\n      modifying the Smithsonian Institution network control points to identify large\n      files transfers and potential file sharing activities in order to alert network\n      administrators.\n\x0cBoth the Director of the National Museum of the American Indian and the Chief\nInformation Officer generally agreed with the audit recommendations. We recommend\nthat the Director provide clarification for three recommendations. Overall, we believe\nthat the corrective actions taken are responsive to the recommendations. For those\nrecommendations requiring additional implementation plans, we plan to follow up with\nthe Director.\n\n\n\n\n                                                 difice of &e lnspect$r General\n\x0c                                                   TABLE OF CONTENTS \n\n\n                                                                                                                                                   &\n1. Introduction ................................................................................................................................. 1 \n\n\n        A. Purpose ................................................................................................................................... 1 \n\n\n        B. Scope and Methodology ....................................................................................................... 1 \n\n\n        C . Background ............................................................................................................................. 1 \n\n\n2. Results of Audit ................................................................................................................................   3\n\n\n        A. System Security Configurations............................................................................................. 3 \n\n\n        B. Automated Information Systems Developments ................................................................ 11 \n\n\n        C . Disaster Recovery and Continuity of Operations Plans ..................................................... 14 \n\n\n        D . Segregation of Duties and Change Management Process .................................................. 16 \n\n\n        E. System Facilities Physical Conditions ................................................................................ 19 \n\n\n        F . Isolated NT Network ............................................................................................................ 25 \n\n\n        G . Peer-to-Peer Technology .....................................................................................................27 \n\nTable 1. Averages Based on Center for Internet Security Scores .......................................................5 \n\n                             . .\n\nTable 2 . User Statistics.........................................................................................................................6 \n\n\nTable 3. Average Number of Days Since Users Last Password Change ............................................\n                                                                                                           6\n\n\nTable 4 . Average Number of Days Since Last Log On .......................................................................\n                                                                                                                       6\n\n\nTable 5. Physical Observation Summary..........................................................................................\n                                                                                                                             16 \n\n\nAppendix A. NMAI Security Configuration Comparison to Industry Standards .........................31 \n\n                                . .\n\nAppendix B. Electronic Data Archiving ............................................................................................ 32 \n\n\nAppendix C . Management Comments From W . Richard West, Director, NMAI ........................33 \n\n\nAppendix D . Management Comments From Dennis Shaw, Chief Information Officer ...............45 \n\n\x0c        ABBREVIATIONS AND ACRONYMS\n\nCRC        Cultural Resource Center\nGAO        General Accounting Office\nGGHC       George Gustav Heye Center\nIM         Instant Messaging\nIP         Internet Protocol\nIT         Information Technology\nNCC        Network Communication Center\nNIST       National Institute of Standards and Technology\nNMAI       National Museum of the American Indian\nNSA        National Security Agency\nOCIO       Office of the Chief Information Officer\nP ~ P      Peer- to-Peer\nRITS       Registration Information Transaction System\nSANS       System, Audit, Network, Security Institute\nSD         Smithsonian Directive\nSI         Smithsonian Institution\nTRM        Technical Reference Model\nUPS        Uninterruptible Power Supply\n\x0c                                    INTRODUCTION\n\nA. Purpose\n\nWith the planned opening of the new Mall Museum approaching, National Museum of\nthe American Indian (NMAI) recognized the need for improvements in the technology\narea. IgMAI requested a comprehensive review and the Office of the Inspector General\ninitiated an audit of NMAI information systems. The purpose of the audit was to evaluate\nNMAI information system controls for systems access, server and network security,\napplication development and program change management and service continuity.\n\nB. Scope and Methodology\n\nThe audit was conducted from July 1,2002, to November 27,2002, in accordance with\ngenerally accepted government auditing standards. The audit methodology consisted of\nthe following:\n        identifying and reviewing applicable policies and procedures related to system\n        general controls, computer system security, and integrity of computer resources\n        comparing NMAI\'s system security settings with industry and Smithsonian\n        Institution (SI) standards\n        evaluating controls to safeguard and protect networks\n        assessing the adequacy of controls to prevent and detect unauthorized activities\n        including external intrusions, theft, or misuse of computers and networks\n        utilizing guidance issued by the National Institute of Standards and Technology,\n        National Security Agency, and Microsoft Corporation relating to system security\n        configuration, disaster recovery and business continuity planning\n\nWe reviewed:\n       policies, procedures, and controls relating to system security and data integrity\n       controls over server and network configurations\n       application development practices\n       controls to prevent and detect unauthorized activities\n\nAs part of our review, we conducted interviews with technology and systems developers,\nadministrative staff and support contractors. We spoke with staff from Information and\nTechnology Resources, the Registrar\'s group, Film and Video, Membership, and\nDevelopment. We also spoke with consultants supporting the FARSIGHT and\nRegistration Information Transaction System applications. Through interviews, we\ngained an understanding of the practices employed concerning system configuration,\nnetwork analysis, system access, disaster recovery and business continuity, and change\nmanagement.\n\nC. Background\n\nThe National Museum of the American Indian seeks to advance knowledge and\nunderstanding of Native cultures and strives to protect, support, and enhance the\ndevelopment, maintenance, and perpetuation of Native culture and community. As it\nprepares to open its new Mall Museum at the end of 2004, NMAI\'s strategic plan helps\nhighlight the importance of technology and information management as a priority.\n\x0cIn order to meet the objectives noted in its strategic plan, NMAI recognizes the\nimportance of information system security planning and the need to protect information\ntechnology resources. Each objective outlined in the plan provides detailed steps for\nachieving NMAI\'s major goals. Furthermore, each of NMAI\'s major goals strives to\nsupport achievement in the overarching Smithsonian-wide goals of public impact;\nfocused, first-class research; management excellence; and financial strength.\n\nAs part of our review, we identified four major goals that incorporate the need for\ninformation security planning. First, in order to manage a comprehensive program to\nopen the Mall Museum by the end of 2004, NMAI plans to ensure timely and successful\ninstallation and testing of all electronic, technology, and information management\nsystems.\n\nSecond, in order to preserve, protect, relocate, selectively expand, and provide access to\nNMAI collections, NMAI plans to install a collections database (objects, photos, paper)\nwith user-friendly accessibility for researchers and other interested parties.\n\nThird, in order to enhance and implement organizational and management practices,\nprocedures, and systems, and adopt appropriate technologies to improve effectiveness,\nefficiency, and productivity, NMAI plans to identify NMAI-wide technology and\ninformation management priorities and associated costs. This would include\nidentification of those baseline technology applications that are essential to facility and\ncollections management, administrative support, communications, and collaboration\nwith Native communities and other entities. The Museum recognizes that overall\ndatabase management and design is an important part of this process.\n\nFourth, in order to recruit, retain, support, and reward staff to carry out NMAI\'s mission,\nNMAI plans to manage an active, supportive, and responsive human resources operation.\nIt would include recruitment, training, implementation of disciplinary actions, time and\nattendance tracking, and maintenance of performance plans and appraisals. It would also\nestablish clear performance targets and provide special training opportunities for NMAI\nstaff to gain and expand knowledge and proficiency in key areas related to their individual\nwork.\n\x0c                                          RESULTS OF AUDIT\n\nA. Svstem Security Configurations\n\nSystem security configuration at NMAI is vulnerable and does not meet industry security\nstandard recommendations. Specifically, operating system security patches\' and hotfixes,\'\nor technical solutions to system vulnerabilities, were not up to date and server\nconfigurations were not documented. This occurred because there are no policies,\nprocedures, or guidelines within NMAI that provide instruction on system security\nconfiguration. Technical staffs training programs were undefined, information\ntechnology position descriptions did not address accountability for system security, and\nthere was no process in place to perform scheduled server and network risk assessments.\nAs a result, current system configurations permitted the setting of blank passwords,\nallowed unauthorized, undetected connections, and many system users had more system\nrights than necessary.\n\nBackground\n\nWe evaluated NMAI system security at locations in Suitland, Maryland, Washington,\nD.C. and New York [George Gustave Heye Center (GGHC) and the Bronx Research\nBranch]. We used Smithsonian Directives and industry guidance and standards from the\nNational Institute of Technology and Standards, General Accounting Office, National\nSecurity Agency, and Microsoft Corporation. The evaluation included a review of\noperating system configurations, user accounts, network ports, and vulnerable services.\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996, lists standards\nthat shall apply to Institution units. In particular, the directive requires managers to take\nsystematic and proactive actions to develop and implement appropriate, cost effective\nmanagement controls. It also requires that controls established shall provide reasonable\nassurance that assets are safeguard against waste, loss, unauthorized use, and\nmisappropriation.\n\nSmithsonian Directive 931, Use of Computers e+ Networks, August 5,2002, requires the\nprotection of business communications from unauthorized access.\n\nThe Computer Security Act of 1987 requires the establishment of minimum acceptable.\nsecurity practices related to federal computers. This act requires the identification and\nprotection of systems containing sensitive information and calls for a computer standards\nprogram and security training for users.\n\nNational Security Agency (IVSA) Research Study by Trusted Systems Services, Windows\nN T Security Guidelines Considerations e5 Guidelines for Securely Configuring Windows N T\nin Multiple Environments, 1999, provides guidelines for countering known attacks on\nWindows NT installations that expose or modify user data maliciously. The goal is to\nmake Windows NT as secure as reasonably and practically possible. Implicit in the\nguidelines is the understanding that recommendations must be both effective against\n\n\n\' A service pack is a periodic upgrade to the operating system that contains vulnerability fmes.\n* Hotfxes are updates addressing specific vulnerabilities and errors introduced between service packs.\n\' Registry settings and Novel1 servers were not evaluated.\n\x0ccertain threats and also practical. A balance is necessary between security and operations     .\nbecause some controls impede operational capability.\n\nNSA, Guide to Securing Microsoft Windows N T Networks, 2001, identifies a variety of\navailable Windows NT 4.0 security mechanisms and provides steps or measures for their\nimplementation. The guide provides a solid security foundation for any Windows NT 4.0\nnetwork by offering step-by-step instructions on how to utilize the operating system\'s\nbuilt-in security features, additional add-on service packs, and hotfixes.\n\nMicrosoft White Paper, Securing Windows NT Installation, 1997, states the default, out-of-\nthe-box NT configuration is unsecured. This white paper discusses various security issues\nwith respect to configuring all Windows NT operating system products for a highly secure\ncomputing environment.\n\nNational Institute of Standards and Technology (NIST) Special Publication 800-18, Guide\nfor Developing Security Plans for Information Technology Systems, December 1998, states\nthat the objective of system security planning is to improve the protection of information\ntechnology resources. All federal systems have some level of sensitivity and require\nprotection as part of good management practice. According to NIST, system security\nplans should document the protection of the system. Additionally, the completion of\nsystem security plans is a requirement of the Office of Management and Budget Circular\nA-130, Management of Federal Information Resources, Appendix 111, Security of Federal\nAutomated Information Resources, and Public Law 100-235, Computer Security Act of 1987.\nThe purpose of the security plan is to provide an overview of the security requirements of\nthe system and describe the controls in place for meeting those requirements. The system\nsecurity plan also delineates responsibilities and expected behavior of all individuals who\naccess the system.\n\nNIST Special Publication 800-26, Security Self-Assessment Guide for Information\nTechnology Systems, November 2001, states adequate security of information and the\nsystems that process it is a fundamental management responsibility. This document\nprovides guidance on applying a framework by identifying 17 control areas, such as those\npertaining to identification and authentication, and contingency planning. The guide\nexplains that officials must understand the current status of their information security\nprogram and controls in order to make informed judgments and investments that\nappropriately mitigate risks to an acceptable level. This self-assessment guide provides a\nmethod for agency officials to determine the current status of their information security\nprogram.\n\nNIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing\nInformation Technology Systems, September 1996, defines eight principles used as an\nanchor on which the federal community should base their information technology\nsecurity program. These principles guide personnel when creating new systems, practices\nor policies. This guidance defines the purpose of computer security as a way to protect an\norganization\'s valuable resources, such as information, hardware, and software. Through\nthe selection and application of appropriate safeguards, a security program helps the\norganization\'s mission by protecting its physical and financial resources, reputation, legal\nposition, employees, and other tangible and intangible assets.\n\x0cResult of Review\n\nWe evaluated system configurations that included server and sub-network security at each\nof the NMAI locations. Under the current system configuration, we determined that the\nsystems are vulnerable and could be strengthened to meet industry security standard\nrecommendations. We used the Center for Internet Security Scoring Tool as a basis to\nevaluate each Microsoft NT server. The tool produces a score by applying the "Windows\nSecurity Scoring Tool" which is a number between one and ten, with ten being the most\nsecure. The criteria used for scoring are divided into four categories: (1) Service Packs\nand Hotfixes, (2) Policies, (3) Security Settings and (4) Available Services and Other\nSystem Requirements. NMAI falls in the low range of average scores with a score of 3.54.\nTable 1 summarizes the averages for hotfixes and server scores for each location.\n\n\n\n\nThe failure to maintain servers with the most current versions is a risk that can be easily\nmitigated. A service pack corrects known problems and provides tools, drivers, and\nupdates that extend functionality and keep the software code updated. Hotfixes and\nsecurity patches are intended for enterprise implementations and provide an extra level of\nsecurity for mission-critical software systems. Specifically, security patches eliminate\nvulnerabilities by mitigating recognized exploits. According to the NIST, maintaining\nand updating applications with the latest hotfixes, patches, and service packs is necessary\nto maintain the operational availability, confidentiality, and integrity of information\ntechnology systems. Not all vulnerabilities have related patches, therefore, system\nadministrators must be aware of vulnerabilities and patches, and have a means to mitigate\n"unpatched" vulnerabilities through other methods.\n\nOur review of the server security settings determined that across NMAI, audit policies and\naccount lockout were not fully activated. Activating and reviewing events from audit\npolicies can inform administrators of actions that could pose security risks and also\nidentify the user accounts from which audited actions were taken. Microsoft\nrecommends auditing and recording particular failed log on attempts, attempts to access\nsensitive data, and changes to security settings. Only three of five servers in the New York\narea had the audit control function activated. The remainder of NMAI\'s servers did not.\n\nThe account lockout function prevents brute-force password cracking or guessing attacks\non the system. When activated, system administrators can set the number of log on\nattempts and the locking duration. In addition, information technology staff had not\nactivated system password policies specifying password lengths and expiration dates.\nSpecifically, no NMAI servers had activated the built-in Windows NT password policies.\nHowever, 75 percent of the servers (9 of 12) had activated the expiring password function.\n\x0cTable 2 shows that the 12 servers had 249 local users. There were 32 users with blank\npasswords and most administrative accounts were not renamed. The Guest accounts\nwere inactivated but not renamed. Both NIST and NSA recommend renaming or\ndisabling these accounts. See Appendix A for a comparison of NMAI to Industry\nconfiguration standards. Industry standards recommend that users should have limited\naccess to only what they need in order to perform their duties. An analysis of NMAI users\nidentified that there are 70 users that have never logged on and 84 users that belong to the\nadministrator group. A user in the administrator group has unlimited and unrestricted\naccess to alter and make changes to systems.\n\n\n\n\nAccount that have never\n\n\n\n\nTables 3 and 4 show the administrator group average time since the last password change\nwas 562.9 days and the average time since last logon was 290.37 days. In addition, all the\nusers belong to the administrator group on two servers. A review of these users is\nnecessary to validate the need to maintain the various users and their level of system\naccess. System administrators have begun this review and have removed some users and\ngroup accounts.\n\x0cAs part of our network analysis, we performed network scans and limited penetration\ntesting on the NMAI network. Specifically, we researched and used the most common\nidentified port and service vulnerabilities for Windows operating system. We scanned the\nnetwork from both within and outside of the ST network. Although we were unable to\neasily identify the NMAI servers from outside the ST network, we were able to\ncompromise the NMAI network from within the SI network.\n\nWe performed port scanning and penetration testing to determine open and vulnerable\nports across the network. We reviewed those machines identified as susceptible to\nhacking and focused on the servers and then on the client machines. We used the NSA\nreport "Windows NT Security Guidelines," as a basis for evaluating server services. In\nsummary, NSA provides the following recommendations in order to minimize service\nrisks:\n        limit the necessary services that run on a given computer\n        eliminate or separate services that interact with one another when not necessary\n        perform periodic reviews on each computer on the network\n        block server operators that can expand their capabilities or install programs that\n        run with full administrative capabilities (Such capabilities are contrary even to\n        standard Windows NT settings.)\n        permit only full administrators to install services.\n\nWe performed limited attempts to penetrate selected machines. We recognized that once\none machine was compromised, the password file containing all users\' passwords could\nbe captured and subsequently used to try to gain access to other machines. This would\ncreate a domino effect across the entire network. From our testing of 379 NMAI\nmachines, we were able to penetrate 32 machines and collect password files that contained\nthe system administrator\'s accounts, which provided us with the ability to compromise\nother ST computers.\n\nBased on our analysis, we determined that system security weaknesses stem from the\nfollowing:\n        a lack of policies and guidance for server and client security configuration\n        undefined technical staff training programs\n        information technology position descriptions that do not address accountability\n       for system security\n       no process to perform periodic server and network risk assessments.\n\nAlthough the Institution is establishing enterprise computer security policies, there is no\nNMAI guidance currently in place to assist system administrators in establishing\nminimum server and client security configurations. The NIST special publication\nPrinciples and Practicesfor Securing IT Systems, contains 14 practices that define an\neffective computer security program. These practices include the guidance for server and\nclient security configuration that would help NMAI establish goals and assign\nresponsibilities to administrators and users for the protection of assets under their\ncustody.\n\nNMAI information technology staff informed us that they did not receive any significant\ninformation technology security training within the last 18 months. Although staff has\nbeen maintaining NMAI systems, NMAI would benefit from a defined technology-\n\x0ctraining program that identifies the specific technical skills necessary to maintain its\nsystems. In addition, individual information technology position descriptions do not\naddress accountability for system security in which they are inherently responsible for\nadministering and maintaining. According to numerous federal standards, defining and\nimplementing technology training programs is critical to the successful administration of\ninformation system resources.\n\nThere is no process to perform scheduled server and network risk assessments. Such\nassessments would be helpful in the evaluation of the many types of changes that affect\nsystem security. They could include evaluating technological developments, intra-\nnetwork and inter-network changes, changes in the value or use of information, or the\nemergence of a new threat.\n\nAs a result, the lack of standard security system configurations places NMAI system\nresources at risk for unauthorized, undetected activities. In addition, without\ndocumented maintenance and administration responsibilities, NMAI cannot ensure that\ntheir systems are maintained in an updated and secure condition.\n\nConclusion\n\nBased upon our configuration and network analyses, we believe NMAI can improve\nsystems security by defining security administration responsibilities and introducing an\nassessment process into their administration duties. According to federal requirements,\ninformation technology staff should participate in a structured training program that\nprovides the level of technical skills appropriate to their responsibilities. In addition,\nimplementing security monitoring tools and performing periodic network scans can limit\nrisks and vulnerabilities and prevent system compromises.\n\nRecommendations\n\nWe made six recommendations to the Director, National Museum of the American\nIndian.\n\n    1. \t Use technical industry guidance to develop and implement server and client\n         configuration settings.\n\nManagement Comments\n\nAgreed. Management has circulated technical industry guidance among staff. NMAI will\nhire a Technology Manager who will issue a series of directives and assume responsibility\nfor on-going compliance. Additionally, management intends to limit administrator\ngroup privileges to include only necessary personnel.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in June 2003 to obtain the status of this recommendation.\n\x0c   2. \t Define technology positions and include a delegation of system security \n\n        responsibilities. \n\n\nManagement Comments\n\nAgreed. NMAI has begun a process to revise all technology-related positions and the\nduties assigned as part of a general reorganization of the Information and Technology\nResources office. System security responsibilities will be written into position\ndescriptions and performance measures.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in June 2004 to obtain the status of this recommendation.\n\n   3. Develop a tailored technical training program for technology staff.\n\nManagement Comments\n\nAgreed. Management will work with OCIO to assess training needs and develop an on-\ngoing security training program.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in October 2003 to obtain the status of this recommendation.\n\n   4. \t Develop and implement a semiannual security assessment process for systems and\n        network assets that includes server configuration evaluations and network scans\n        based on industry standards.\n\nManagement Comments\n\nAgreed. NMAI staff will apply the Windows Security Scoring Tool on a quarterly basis and\nNMAI\'s Technology Manager will monitor compliance.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in March 2003 to obtain the status of this recommendation.\n\n   5. Review and determine the necessity of the numerous user accounts.\n\nManagement\n    -      Comments\n\nAgreed. NMAI system administrators will review and delete unnecessary accounts.\n\x0cOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in January 2003 to obtain the status of this recommendation.\n\n   6. \t Review the current system configurations and make adjustments where necessary\n        to enhance system security.\n\nManagement Comments\n\nAgreed. IVMAI\'s Information and Technology Resources Manager will oversee systems\nsecurity configurations.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in April 2003 to obtain the status of this recommendation.\n\x0cB. Automated Information Systems Developments\n\nNMAI could benefit by following a system development life cycle methodology for its\ncurrent application development projects. Until recently, the Institution did not have\nguidance to assist developers who develop application projects. Without a development\nmethodology, NMAI projects could fail to meet project deadlines and budget\nrequirements. In addition, without an adequate project plan, management oversight\nwould be difficult.\n\nBackground\n\nThe scope of our review consisted of evaluating project management practices for its\napplication development projects. We interviewed NMAI staff and reviewed\ndocumentation for current projects (Collection Information System, Media Information\nManagement, Contact Management System) under development.\n\nSmithsonian Directive 910, Information Technology Planning, August 28, 2002, establishes\npolicies and procedures and assigns responsibilities for strategic and operational\ninformation technology planning within the Institution. Within each of their areas of\nresponsibility, museums, research centers, and office directors will designate a person to\nconduct or coordinate IT planning activities and develop IT plans with guidance from the\nChief Information Officer.\n\nSmithsonian Directive 920, Life Cycle Management, August 5,2002, establishes life cycle\nmanagement policies, defines essential elements, and assigns responsibilities governing\nthe initiation, definition, design, development, deployment, operation, maintenance,\nenhancement, and retirement of automated information systems and IT infrastructure\nprojects at the Smithsonian Institution. In addition, the directive requires logical\nplanning, managing, and monitoring of automated information system developments.\nEach development phase requires specific decisions and actions, to ensure that the system\nis being developed and managed efficiently, economically, and that it meets requirements.\n\nResult of Review\n\nIn performing our review, we determined that the Museum is in the midst of developing\nmajor application projects. Based upon our evaluation, NMAI could benefit by following\na system development life cycle methodology for its current application development\nprojects. Reviews of application development documents and discussions with NMAI\ndevelopment staff determined that no formal development methodology was followed. In\naddition, there were no written preliminary project plans or a business case, as required\nby the current life cycle management policy. However, the available technical\ndocumentation for the collections and media information projects was detailed. Both\nSmithsonian Directives 910 and 920 establish requirements for defining the bases, scope,\nand possible improvements for any project. According to the policies, a well-defined\nproject plan needs to be in place. Additionally, application projects must be supported by\na business case that includes an analysis of the expected costs and benefits, alternative\nsolutions, and potential programmatic and technical risks. No application development\nproject should be initiated until supported processes have been reviewed and redesigned\nas necessary for their greatest possible effectiveness.\n\x0cUntil recently, the Institution did not have detailed guidance and policies for technology\nstaff to follow regarding system development projects. Directives 910 and 920 issued in\nAugust 2002 should strengthen the Institution\'s ability to consistently develop and\nimplement information systems. NMAI\'s developer did state that since SI has two new\ndirectives, NMAI plans to follow SI policy when developing and implementing\napplication projects.\n\nEmploying and following a structured system development methodology would assist in\nmaintaining a project focus and identifying critical paths and development issues before\nfunds are spent and milestone dates approach or pass. Without project plans, NMAI\nprojects could fail to comply with deadlines and budget requirements. In addition,\nwithout an adequate project plan, management oversight is difficult. Without a defined\ndevelopment life cycle, projects become too complex to plan and control successfully.\n\nConclusion\n\nThe Museum has established within its 2002 strategic plan, goals to enhance and\nimplement organizational management practices, procedures and systems, adopting\nappropriate technologies and other methods to improve effectiveness, efficiency, and\nproductivity. We believe that the adoption of such a structured development\nmethodology for all development applications, regardless of size, would benefit NMAI\nstrategic goals.\n\nRecommendations\n\nWe made two recommendations to the Director, National Museum of the American\nIndian:\n\n   1. \t Define an NMAI sponsor and formally define a development implementation\n       team for the collection management system, media information management, and\n       contact management system.\n\nManagement Comments\n\nAgreed. NMAI\'s Collections Information System development implementation team will\nbe established in February 2003. The Media Information Management System\ndevelopment implementation team will be established in June 2003, and the Contact\nManagement System development implementation team will be established in February\n2003.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are partially responsive to the recommendation. The\nrecommendation called for NMAI to assign a sponsor within NMAI to be responsible for\nthe programs being developed. We request that NMAI identify a unit to sponsor and\nhave responsibility for overseeing and implementing each program. We will follow up\nwith the Director in June 2003 to obtain the status of the three systems indicated this\nrecommendation.\n\x0c   2. \t Require that current and future development projects follow the SI life cycle\n       management policy.\n\nManagement Comments\n\nAgreed. NMAI\'s Technology Manager has instructed staff to follow recently issued\ninstitutional guidance provided by Technical Standard e+ Guideline IT-920-01 Life Cycle\nManagement Manual.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. This recommendation is\nconsidered closed.\n\x0cC. Disaster Recovery and Continuity of Operations Plan\n\nAlthough a tape backup process is in place, NMAI had not implemented a disaster\nrecovery and continuity of operations plan for IT services. A disaster recovery and\ncontinuity plan had not been initiated because NMAI is awaiting OCIO guidance for\nstandardizing sensitivity and risk assessments documentation required for Institution-\nwide planning. In addition, funding has been budgeted for fiscal year 2003 to assist in\nimplementing security plans for major system development projects. Without fully\nimplementing these plans, the Museum may not be prepared in the event operations are\ndisrupted due to system failure, compromise, or other disaster.\n\nBackground\n\nThe scope of our review consisted of evaluating NMAI\'s existing disaster recovery and\nbusiness continuity plans for system resources. We interviewed NMAI management and\ninformation technology staff to gain an understanding of backup and disaster recovery\nand continuity of operations plans.\n\nSmithsonian Directive 931, Use of Computers &Networks, August 5, 2002, requires system\nadministrators to perform data back up and offsite storage of critical data. In addition,\nSmithsonian Institution Computer Security Handbook, September 9, 1993, provides\ncomputer secuqjty policies and procedures for all Smithsonian components to develop\ndisaster recovery and business continuity plans. Disaster recovery safeguards consist of\ndeveloping a contingency plan, storing the plan offsite, regularly backing up files and\nsoftware, identifying an alternate offsite processing site, and testing the contingency plan.\nAccording to the Handbook, the purposes of a contingency plan are to determine actions\nthat will minimize the effects of undesirable occurrences, document emergency response\nactions like system restart, and establish procedures for recovering from losses.\n\nNIST, The Contingency Planning Guide for Information Technology Systems December\n2001, provides instructions, recommendations, and considerations for government IT\ncontingency planning. According to the guidance, some type of documented procedures\nshould be in place to provide for the recovery of files, address disaster recovery, and\nidentify critical processing data. The plan should allow for periodic testing and should\nensure that personnel understand their respective roles during a disaster.\n\nResults of Review\n\nOur review determined that NMAI has not documented or implemented disaster\nrecovery business continuity of operations plans that cover its system resources. Disaster\nrecovery and contingency plans assess the adequacy and ensure continuity of operations if\neither a complete system failure or failure of system components occurs. For its system\nservers, system administrators have an established tape backup process. The tapes,\nhowever, are not stored off site at all locations.\n\nDisaster recovery and continuity of operations planning for critical systems is a top\npriority for management. Although, technology staffs have identified processes in the\nevent of a short-term disruption, management has not taken steps to develop and\nimplement full disaster recovery and continuity of operations plans because they are\nawaiting institution guidance from the OCIO. The OCIO is planning on establishing\n\x0cpolicies and guidance for disaster and continuity planning in the near future. In\nanticipation of the need for disaster recovery and continuity planning, the Museum has\nincluded funding in its fiscal year 2003 budget for obtaining contract support to assist in\nperforming sensitivity and risk analyses for major systems.\n\nWithout a plan in place, NMAI risks the ability to restore its critical system resources in a\ntimely manner if one of its components fails due to an unforeseen situation. In addition,\nwithout these plans,*the opening of the new Mall Museum could face disruptions that\ncould not be addressed in a timely manner.\n\nConclusion\n\nWith the planned opening of the Mall Museum, it is critical that plans are in place to\naddress any level of system disruption. The top NMAI goal is to manage a comprehensive\nprogram to construct and open the Mall Museum by the end of calendar year 2004. One\nof NMAI\'s objectives is to ensure timely and successful installation and testing of all\nelectronic, technology, and information management systems necessary for effective\noperations, and for linkages with other NMAI operations. Without a disaster recovery\nand continuity of operations plan, achievement of NMAI strategic goals is at risk.\n\nIn addition, the Museum has an opportunity to consider electronic data archiving\nbetween its three facilities (Manhattan, Suitland, and the new museum opening in the\nDistrict) for its disaster recovery continuity of operations. Data archiving provides\nnumerous benefits in both cost and operations. Appendix B illustrates an example of\nelectronic data archiving between the three locations. The advantage of electronic data\narchiving, or auto archiving as it is sometimes called, is the ability to store offsite without\nthe extra expense of a hotsite facility. Another advantage of auto archiving is the ability to\nquickly restore a system, which increases the amount of system space availability.\n\nRecommendation\n\nWe recommended that the Director, National Museum of the American Indian, adopt\nand implement a disaster recovery and continuity of operations plan in accordance with\nSI policies or current industry standards.\n\nManagement Comments\n\nAgreed. NMAI\'s new Technology Manager will oversee the development of an NMAI\nDisaster Recovery and Contingency Plan and the Information and Technology Resources\nManager will oversee implementation of disaster recovery plans.\n\nOffice of the Inspector General Response\n                                                                                                  TT-\n                                                                                                  -     730 -01\nThe Director\'s actions are responsive to the recommendation. The Chief Information\nOfficer issued guidance for conducting sensitivity analyses and risk assessments on--\nG v e m b e r 5, 2 0 0 2 , <__.\n------\\C_---_C\n                            ~-__\n                              u T t ~ E G i i " ~ n b e g at\n                                                          i nany time. We w x ~ u withp\nthe Director in July 2003 to 06f%n-the-statag of2KisiSfeWmm-ezd\'afion.\n\x0cD. Segregation of Duties and Change Management Process\n\nCurrently, there is inadequate segregation of duties for the administration of the financial\napplication FARSIGHT. In addition, the Museum has not adopted a system change\nmanagement process for FARSIGHT. This is occurring because application\nadministration is being supported outside of the Museum\'s technology staff. As a result,\ninadequate segregation of duties increases the risk that erroneous or improper program\nchanges could be implemented and that the computer resources could be damaged or\ndestroyed.\n\nBackground\n\nThe scope of our review consisted of evaluating the change management process for the\nFARSIGHT application. We interviewed NMAI staff, the contracting officer\'s technical\nrepresentative, and the contractor responsible for the application.\n\nGeneral Accounting Office (GAO), Federal Information System Audit Controls Manual,\nJanuary 1999, requires that segregation of work responsibilities occur so that no\nindividual controls all critical stages of a process. It also restricts the designated computer\nprogrammer from independently writing, testing, and approving program changes. The\nmanual states that inadequately segregated duties increases the risk that erroneous or\nfraudulent transactions could be processed, improper program changes could be\nimplemented, and the computer resources could be damaged or destroyed.\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996, lists standards\nthat shall apply to Institution units. In particular, the directive requires managers to take\nsystematic and proactive actions to develop and implement appropriate, cost effective\nmanagement controls. It also requires that controls established shall provide reasonable\nassurance that assets are safeguarded against waste, loss, unauthorized use, and\nmisappropriation.\n\nResults of Review\n\nAs part of our testing of general access controls, we determined that NMAI has contracted\nfor server and FARSIGHT application administration that includes making program\nchange and modifications. FARSIGHT is an application used by 99 users that contains\nfinancial budget and obligations information concerning NMAI projects and salary\nforecasting. Typically, separation should exist among individuals who maintain the\napplications, individuals who administer the application server, and individuals who\nmake application changes and modifications. Discussions with the FARSIGHT support\ncontractor revealed that the contractor performs server administration, application\nmodifications, testing, and implementation. Further, NMAI is not requiring technical\ndocumentation that explains the application changes or the maintenance of documented\ncorrespondences and requests for changes between the contractor and the contracting\nofficer\'s technical representative. In addition, NMAI is providing the contractor with two\ncomputers for their use. These computers and the application server are located in a\npublic space to ease system administration.\n\nReliance on a contractor for performance of all of these duties without proper oversight\nby technically trained staff is a risk. Responsibilities of the contracting officer\'s technical\n\x0crepresentative include representing the Smithsonian in issues with the contractor,\nincluding acceptability of workmanship, compliance with technical requirements of the\ncontract, completion of work, and approval for payment. The contracting officer\'s\ntechnical representative supporting NMAI\'s FARSIGHT application is not trained in\ninformation technology and not familiar with the segregation of duty responsibilities.\nDelegating technical oversight to non-technical staff without adequate training and\nexperience poses a risk to the Museum.\n\nAs a result, it would be difficult for the current contracting officer\'s technical\nrepresentative to effectively question the work of a technical contractor. In addition,\nunnecessary software changes could be implemented due to a lack of effective controls to\nsegregate duties and monitor contract performance. Also, permitting unnecessary\ncomputer access and resources poses a risk of improper use of computer resources within\nNMAI and the Institution.\n\nConclusion\n\nOne of the Museum\'s strategic goals is to enhance and implement organizational and\nmanagement practices, procedures, and systems at NMAI and adopt appropriate\ntechnologies to improve the effectiveness, efficiency, and productivity. If staff is\nunfamiliar with the Institution\'s standardization of technologies and oversight, they risk\nsupporting an ill-advised application or an application that is not a standard. Such\napplications could pose additional vulnerabilities and risks.\n\nRecommendations\n\nWe made four recommendations to the Director, National Museum of the American\nIndian:\n\n    1.\t Assign contract oversight responsibilities for technical contracts to qualified\n       information technology staff.\n\nManagement Comments\n\nAgreed. NMAI\'s Information and Technology Resources staff will work closely with the\nContracting Officer\'s Technical Representatives managing technical projects to provide\ncontract oversight for technical issues. Information and Technology Resources staff will\napply Life Cycle Management guidelines to legacy systems.\n\nOfice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. Although not explicitly\nstated by NMAI, we believe that NMAI should have IT staff involved on its current\ntechnical contracts. We request that NMAI clarify whether this is their intent and we will\nalso follow up with the Director in June 2003 to obtain the status of this\nrecommendation.\n\x0c   2. Define and implement, with support from the Office of Contracting, a contract\n      modification for the maintenance of system support technology contracts.\n\nManagement Comments\n\nAgreed. NMAI will review the existing contract for the FARSIGHT vendor and, with\nsupport from the Office of Contracting, specify systems maintenance requirements.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in April 2003 to obtain the status of this recommendation.\n\n   3. \t Obtain the system documentation, including changes, from the FARSIGHT\n        contractor and establish a change and configuration management process for\n        future modifications.\n\nManagement Comments\n\nAgreed. Systems documentation will be requested immediately and a change and\nconfiguration management process will be established.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in April 2003 to obtain the status of this recommendation.\n\n   4. \t Perform an information technology organization assessment to include \n\n        considering realigning technology positions under a central manager. \n\n\nManagement Comments\n\nAgreed. NMAI will present a draft proposal to assess information technology\norganization and realign technology positions under a central manager to Senior\nManagement and its Board of Trustees.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in June 2003 to obtain the status of this recommendation.\n\x0cE. Svstem Facilities Physical Conditions\n\nPhysical computer security conditions at NMAI can be improved. Currently, physical\naccess, fire prevention, air-cooling, plumbing, and housekeeping conditions pose a risk to\nsystem resources and staff. This is occurring because SI has not issued computer room\nphysical condition policies and NMAI has not obtained budgetary support to enhance its\nfacilities. In addition, for convenience, NMAI maintains its computer rooms accessible to\nnon-technology staff. Without appropriate physical and environmental security controls\nimplemented to protect the system resources, the system resources themselves, are at risk\nfor unauthorized changes to hardware or software configuration. They are also at risk for\ntheft. In addition, without strict computer room housekeeping requirements, there is a\nrisk of fire and accidental damage to equipment.\n\nBackground\n\nWe visited each location to obtain a first hand observation and understanding of the\nphysical security current conditions. The scope of our review consisted of evaluating\nphysical access controls, fire hazards, utilities, and housekeeping risks to computer\nresources.\n\nSI Directive 115, Management Controls, July 1996, establishes that management controls\nmust provide reasonable assurance that assets are safeguarded against waste, loss,\nunauthorized use, and misappropriation. Access to resources and records should be\nlimited to authorized individuals and accountability for the custody and use of resources\nshould be assigned and maintained.\n\nGAO, Financial Information Systems Control Audit Manual, January 1999, provides\nguidance in evaluating computer related controls. The guidance describes access controls\nto provide reasonable assurance that computer resources are protected against\nunauthorized modifications, disclosure, loss, or impairment. Such controls include\nphysical controls such as locking computer rooms to limit access. Inadequate access\ncontrols diminish the reliability of computerized data and increase the risk of destruction\nor inappropriate disclosure of data.\n\nThe NIST special publication, Generally Accepted Principles and Practices for Securing\nInformation Technology Systems, September 1996, provides instructions,\nrecommendations, and considerations for government computer security. According to\nNIST guidance, security policies and procedures should be in place to protect valuable\nresources, such as information, hardware, and software. The security program should\nallow for periodic assessments and should ensure that personnel understand their\nrespective responsibilities.\n\nThe NIST special publication 800-18, Guidefor Information Technology Systems,\nDecember 1998, states that physical access controls should be in place to restrict the entry\nand exit of personnel from a data center area or room containing network equipment.\nPhysical access controls should address not only the area containing system hardware, but\nalso the wiring, and the uninterruptible power and backup operations that support\nsystem operations.\n\x0cResults of Review\n\nIn performing our review, we determined that the physical conditions surrounding\nNMAI\'s computing resources can be improved. Table 5 shows a summary of our physical\nobservations for each location visited.\n                       \'\n                           Table 5. physical Observation Summary             \'\n\n\n                                               CRC       DC              \' *NY\n\n          Physical Access Control                                 GGHC       The Bronx\n          Public access to computer\n          resources                            X         X         X             X\n          Fire Safety Factors\n         Fire suppression prevention\n         devices installed and working         x         x         x             x\n          No emergency water cutoff            x         x         x             x\n          Supporting Utilities\n         Building plumbing lines are\n         known to endanger svstems\n         No uninterruptible power supply\n                                           1         I        1    X     1       x       i\n                                               x         X         X             X\n         Unkempt housekeeping                                      X             X\n         IX\n          = location is not to standard.\n                                                                                         I\n\n\n\n\nAt CRC, we observed that although the door to the Network Communication Center\n(NCC) room has an electronic lock, it is not used. Also, we observed that the room is left\nunattended and this provides opportunities for someone to enter and alter or damage\nservers and network equipment. In the New York GGHC facility, the room is accessible\nwith a key card; however, it is shared with the Film and Video Center. Staff also uses the\nspace to store their bicycles and other equipment. Additionally, a makeshift office is\nestablished for a support contractor, generating traffic unrelated to the servers\'\nadministration. Further, the servers are located inside a cage that is open at the top.\n\nIn the Bronx, the computer room door can be opened with a general key and a network\nrouter is located in an open, unsecured public area next to oily mechanical machinery. In\nthe Washington, D.C. facilities, the server that maintains financial data is located in an\nopen, public area. Another server is on top of a file cabinet in a storage room accessible\nby others. The servers are also publicly accessible with a general key.\n\nIn all locations, we observed that fire suppression and some supporting utilities were not\nfully in place. For example, although most locations rely on water sprinkling systems,\nthere are no emergency water cut-offs. Because most of the system resources are stored in\ngeneral building space, there are no backup and auxiliary cooling systems in place. As a \'\nresult, we noted the locations that housed the server resources were warmer than the\nremainder of the building.\n\nThe two locations in New York pose a significant plumbing risk. In the GGHC facility,\npipes run along the ceiling above the servers and in the Bronx, the server room is located\nbetween two bathrooms, and the room has an open hole in its ceiling. Also, the\n\x0cequipment is not protected in case of electric shut off and there is no uninterruptible\npower supply (UPS) o r no backup generator. NMAI staff stated that they contacted the\nlocal facilities office regarding this problem. In regards to housekeeping conditions, we\nnoticed that the GGHC computer room contained trash paper and soft drink cans. Such\nconditions pose fire and safety hazards and the potential risk of damage to equipment.\n\nIn general, these conditions exist because focus has been on the opening of the new Mall\nMuseum and because of budget and space constraints. Also, the SI does not have detailed\npolicies that address computer room physical conditions. The OCIO is in the process of\nformulating SI policy for computer room physical conditions.\n\nAt both the D.C. and CRC locations, the computer rooms are left open to all staff for\nconvenience purposes. CRC staff explained that the door to the computer room is open\nbecause staff need access to a high quality copier used for graphic copying. In the D.C.\nlocation, the computer servers are placed in publicly accessed locations because a\ncontractor requires access to perform administration on the FARSIGHT application.\nAnother server is located in a storage room on top of a file cabinet, but according to staff,\nplans exist to relocate this server to OCIO. Other computer servers, however, were\nsecured from public access. The GGHC staff explained that the computer room is\npublicly accessible because, historically, several different offices, including Film and Video\nCenter, used it. The Bronx server computers are accessible because the lock to the server\nroom door can be opened with the building front door key. The front door keys can be\nobtained from any Bronx facility staff person.\n\nAt all locations, although fire sprinklers were visible, hand held fire extinguishers were\nnot. We believe that the lack of SI policies for computer rooms contributes to staff failure\nto maintain additional fire suppression needs. In addition, GGHC staff failure to\nmaintain general housekeeping is due to the difficulty of management to provide\noversight from a distant location (the CRC) and a lack of SI policy or standards.\n\nFunding and upgrading for the D.C. facility is not planned because resources will be\ndirected to the new Mall Museum building. At the GGHC, staff stated that UPS has been\nrequested but not received. In addition, staff stated that requests were made to the\nGeneral Services Administration who manages the facility, to assist in determining an\nalternative means for backup power supply. Also, at the GGHC, there are visible ceiling\nplumbing pipes with no protection to the computers below. Staff stated that with OCIO\ninvolvement, plans are being made to consolidate several SI museums computer resources\nin the New York area at the GGHC. It is unclear whether the new plans will address the\nplumbing issue because at the time of our audit, formal plans were incomplete.\n\nA lack of physical and environmental access controls increases the risk to computer\nresources. Individuals can gain unauthorized access to terminals or telecommunication\nequipment that provide access to confidential or sensitive information, substitute\nunauthorized data or programs, and steal or inflict malicious damage to computer\nresources. In addition, without strict housekeeping requirements, there is a risk of fire\nand accidental damage to equipment and staff.\n\x0cConclusion\n\nCurrent industry standards recommend following a "least privilege" access methodology\nwhereby individuals are limited to system access. Access is granted only to the resources\nneeded to perform duties. Employing different locks at physical entry points and\nterminal locks on computers and relocating public resources from computer rooms are\nmethods used to limit access.\n\nRecommendations\n\nWe made nine recommendations to the Director, National Museum of the American\nIndian:\n\n    1. \t Relocate the copiers from the computer rooms and relocate the routers and\n       servers from publicly accessible locations.\n\n    -\nManagement Comments\n\nAgreed. NMAI plans to relocate the copier from the Network Control Center at the CRC\nto a different location. NMAI will also secure the router at the Research Branch and\nconsider relocation of the servers for RAISER\'S EDGE and FARSIGHT.\n\nOffice of the Inspector General Resuonse\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in May 2003 to obtain the status of this recommendation.\n\n   2. \t Examine staff access needs and storage requirements at the GGHC computer\n        room and develop controls to prevent public access to the system resources.\n\nManacement Comments\n\nAgreed. NMAI will relocate the video-conferencing equipment and the Film and Video\nContractor.\n\nOfice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in May 2003 to obtain the status of this recommendation.\n\n   3. \t Permit the GGHC computer facilities to be used only for maintaining computer\n        resources.\n\nManagement Comments\n\nAgreed. NMAI will reorganize staff to permit the GGHC computer facilities to be used\nonly for maintaining computing resources.\n\x0cOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in May 2003 to obtain the status of this recommendation.\n\n   4. \t Establish a separate lock and key at the Bronx location and identify appropriate\n        staff to maintain the key.\n\nManagement Comments\n\nAgreed. GGHC Security will install a new lock cylinder at the Research Branch and\nidentify appropriate staff to maintain the key.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in January 2003 to obtain the status of this recommendation.\n\n   5. Install hand held extinguishers in computer rooms.\n\nManagement Comments\n\nAgreed. Technology staff persons are researching appropriate hand-held fire\nextinguishers for NMAI\'s computer rooms.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in January 2003 to obtain the status of this recommendation.\n\n   6. \t While awaiting SI policies on computer rooms, issue guidance to staff on the need\n        to maintain a safe working environment and reinforce more oversight of\n        computer rooms.\n\nManagement Comments\n\nAgreed. NMAI\'s Information and Technology Resources Manager will speak with staff\nand issue written guidance o n the need to maintain a safe working environment.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in January 2003 to obtain the status of this recommendation.\n\x0c   7. \t Implement a backup and emergency power supply to secure NMAI system\n       resources.\n\nManagement Comments\n\nAgreed. NMAI is determining whether the GSA back-up generator can be used by NMAI.\nIf this generator does not become available, NMAI plans to install additional\nuninterruptible power supply at the GGHC facility.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in June 2003 to obtain the status of this recommendation.\n\n   8. \t Complete the necessary additions to the GGHC computer room and assess the\n       overhead plumbing situation.\n\nManagement Comments\n\nAgreed. Once storage and staffing decisions are made, the necessary additions to the\nGGHC computer room will be undertaken. The Information and Technology Resources\nManager will require plastic sheets to be available to drape over machines.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in July 2003 to obtain the status of this recommendation.\n\n   9. \t Establish procedures and persons responsible for maintaining proper \n\n       housekeeping. \n\n\nManagement Comments\n\nAgreed. NMAI\'s Information and Technology Resources Manager will establish\nprocedures and task staff with responsibility for maintaining proper housekeeping.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in January 2003 to obtain the status of this recommendation.\n\x0cF. Isolated NT Network\n\nNMAI is unnecessarily operating a Windows NT network to support 25 Registrar staff. A\nformer employee established the network and NMAI maintains it because they believe it\nis necessary to support the New York collections move database. Operating a separate\nnetwork that is not consistent with the Institution\'s enterprise network, however,\nincreases contractor costs in server administration and desktop support. NMAI and\nOCIO staff would otherwise perform this additional administration. In addition, there is\na risk of internal NT network vulnerabilities.\n\nBackground\n\nWe interviewed NMAI Network Communication Center (NCC) administrators, Registrar\nadministrators, and the Registration Information Transaction System (RITS) database\ndeveloper contractor.\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996, lists standards\nthat shall apply to Institution units. In particular, the directive requires managers to take\nsystematic and proactive actions to develop and implement appropriate, cost effective\nmanagement controls. It also requires that controls established shall provide reasonable\nassurance that assets are safeguarded against waste, loss, unauthorized use, and\nmisappropriation.\n\nSmithsonian Institution, Technical Reference Model (TRM), Version 1.0, December\n2001, IT-920-01, applies to program area and technical managers, and others responsible\nfor information technology systems and services. Compliance is required unless\nspecifically waived by the Chief Information Officer. The TRM recognizes that the\nInstitution is composed of varied and incompatible hardware and software. The\nheterogeneous nature of the institution\'s technology infrastructure has constrained its\nability to infuse new technology. The TRM attempts to apply an enterprise approach to\nmanaging technology infrastructure. A more homogenous, standards-based, information\ntechnology infrastructure will provide the foundation for distributed systems, which are\nrobust and scalable. The TRM attempts to establish consistent information and\ncommunication services throughout the Institution. A standards approach will provide\nthe ability to update and replace technology in a more cost effective means. The TRM\nidentifies Novell Netware as the preferred network operating standard.\n\nResults of Review\n\nThrough our network analyses and interviews with technology staff, NMAI is\nunnecessarily operating a Windows NT network to support 25 Registrar staff. The\nInstitution\'s enterprise network is Novell. For this reason, duplicate administration,\noutside of the Novell administration is required. The Registrar uses a support contractor\nto assist in maintaining the separate Windows NT network.\n\nAccording to Registrar staff, a former Registrar staff member established the Windows NT\nnetwork. The network was maintained under the premise that NCC staff members were\nnot sufficiently experienced to administer the Registrar\'s needs and that the New York\ncollections move required a Windows NT network to operate the RITS database. Based\non our server and network evaluations, however, we determined that NCC staff had\n\x0cadministered similar system resources, and according to the RITS developing contractor,\nWindows NT network is not required for operating the RlTS database. Both the RITS\ndevelopers and the network administrator stated that the users could access the\napplication through Novell. In fact, according to the RITS developers, currently, there are\nNovell users from Photography, Exhibition, and Curatorial who are accessing RITS. RITS\nwas developed using Microsoft technology. Technically, only this Microsoft application\nneeds to be maintained in the Microsoft environment. Users remain independent and\nmay access the application from a Novell network.\n\nAny unit that operates a separate network that is inconsistent with the Institution\'s\nenterprise network increases contractor support costs in server administration and\ndesktop support. This additional contracted support otherwise would be performed by\nNMAI, NCC, and OCIO staff. In addition, there is a risk of internal denial of service\nattacks and data compromises due to the NT server vulnerabilities.\n\nConclusion\n\nStandardization also has economic benefits because such unnecessary administrative\nfunding can be put to better use. Also, following the SI technical model encourages\nstandardization across the Institution.\n\nRecommendation\n\nWe recommended that the Director, National Museum of the American Indian, eliminate\nthe Windows NT network.\n\nManagement Comments\n\nAgreed. The Information and Technology Resources Manager will request contract\nsupport to migrate the Registration Information Tracking (RITS) application to be\naccessible through the Novell network.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are partially responsive to the recommendations. We request\nclarification on whether the Director plans to eliminate the NT network and if not\nprovide a technical justification to maintain its existence.\n\x0cG. Peer-to-Peer Technology\n                        -.\n\nUse of peer-to-peer technology (p2p4)puts NMAI systems and the SI network at risk. We\nfound that staff was using p2p programs such as instant messaging and Internet file\nsharing programs. They were using instant messaging as a solution to communicate and\nfile sharing programs for personal downloading of music and video. As a result, NMAI\nand SI system resources are vulnerable to viruses, worms, and denial of service attacks.\n\nBackground\n\nThe scope of our review consisted of evaluating the general software controls. We\nreviewed system server applications and client side applications and interviewed\nmanagement and information technology staff.\n\nSmithsonian Directive 931, Use of Computers e+ Networks, August 5,2002, requires that\nthe Institution\'s computers and networks be used only for Smithsonian related work. The\nDirective further states that Smithsonian communications must be protected from\nunauthorized access and that sensitive information including electronic mail and file\ntransfers must be encrypted. The Directive lists different types of computer and network\nmisuses that include seeking, transmitting, and storing offensive material. It states that\ncopyrighted and licensed materials should not be used on a personal computer, S1 Net, or\nthe Internet unless 1egally.owned or otherwise in compliance with intellectual property\nlaws. Also, it states that each user should not overtax processing and storage capabilities\nby minimizing transferring audio and video files. Finally, it grants system administrators\nauthority to access electronic files for system maintenance or development, system\nsecurity, and correcting software problems.\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996, lists standards\nthat shall apply to Institution units. In particular, the directive requires managers to take\nsystematic and proactive steps to develop and implement appropriate, cost effective\nmanagement controls. It also requires that controls established shall provide reasonable\nassurance that assets are safeguard against waste, loss, unauthorized use, and\nmisappropriation.\n\nSystem, Audit, Network, Security Institute (SANS), Peer-to-Peer Networking, October 29,\n2001, concludes that the use of p2p software is a credible threat to network security. In\naddition, the limited documentation surrounding the technology hinders the capability of\nnetwork and system administrators to analyze and obtain knowledge of vulnerabilities\nassociated with its use. Often system administrators are unaware that users have\ndownloaded and installed these applications. This lack of awareness renders system\nadministrators incapable of protecting systems from the many p2p security loopholes.\nSANS notes the following problems with p2p technology:\n        unnecessary network bandwidth utilization that congests networks\n        illegal transfers that involve copyrighted material\n        information leakage and loss of control over the data on computers and networks\n       virus and Trojan propagation downloaded from untrusted sites.\n\n\' According to the SANS Institute, p2p technology is a communication model in which each computer has\nthe ability to initiate a communication session with other computers running p2p software. P2p\napplications enable users to use the Internet to exchange files and communicate.\n\x0c         internet protocol and machine name disclosure outside the internal trusted\n         network and firewall circumvention\n\nResults of Review\n\nNMAI used two p2p technology applications: instant messaging and file sharing. Our\nreviews identified Instant Messaging (IM) located on the server. Through network scans,\nwe identified open ports commonly used by file sharing applications. There are currently\nfour main IM products available for free. AOL Instant Messenger (AIM), ICQ Instant\nMessenger, Yahoo Messenger, and MSN Messenger Service are programs that allow anyone\nto determine when users are online and available for messaging, chatting, or file sharing.\nIM progidams do not provide the option of restricting others to add their names to their\nindividual lists5. Some IM programs permit users to share entire file directories. Our\nidentification of Kazaa, an Internet file sharing program within the NMAI network, also\nopens other vulnerabilities similar to the use of IM. Prior to our discovery of Kazaa,\nNMAI management notified staff that the museum and the Institution does not condone\nthe use of p2p file sharing programs such as Napster, Kazaa, and Gnutella, all well known\nInternet file sharing programs.\n\nNMAI information technology staff was using IM as a convenient communication\nmethod. During our audit, technology staff removed instant messaging from the server.\nStaff used file sharing programs for personal downloading of music and video.\nAdditionally, NMAI technology staff and the computer security industry have all\n                                                        9\'\nrecognized that it is extremely difficult to identi and monitor the use of IM and file\nsharing programs within an enterprise network.\n\nAs a result, according to Internet and computer security organizations, p2p technologies\ncontain numerous documented risks. For example, privacy issues arise when personal\nand workplace information such as machine names and computers Internet Protocol (IP)\naddresses are disclosed. Unless an enterprise encryption program is put in place, all IM\nsent and received are transferred in plain text and susceptible to interception. Further,\nfile transfers could allow infected files to bypass conventional antivirus protection.\nAlthough network gateway antiviral products can limit the transfer of malware7files,\nthese products must be strategically placed on the network and could interfere with\nnetwork performance.\n\nThese well known file sharing programs pose a risk. Because shared files are commonly\nvideo and music files, which are extremely large in size as compared to normal network\nfile traffic, they congest network links and unnecessarily occupy bandwidth required for\nofficial network traffic. Also, storage of large files has the potential to fill up hard drive\nand network file storage. It is well known that file sharing applications and their use\nprovide a conduit for malware to circumvent firewalls and enter networks because almost\nall the sources of downloads originate from untrusted sources. The file sharing programs\n\n  Other users can determine when someone is online as long as they are included in their "buddies" list of\ncontacts. There is no means to restrict someone from being added to someone else\'s "buddies" list.\n  Systems, Audit, Network Security (SANS) Institute, The Instant Messaging Menace: Security Problems in\nthe Enterprise and Some Solutions, January 31,2002, has identified instant messaging and p2p technology\nas a security threat to enterprise networks.\n\' Malware is malicious code inserted or concealed in legitimate files. Computer viruses and worms are\ncommon malware code.\n\x0cthemselves often have hidden or backdoors built into them that permit outside users to\nenter and view files. Additional risks include copyright infringements and viruses and\nTrojan Horse program propagation.\n\nConclusion\n\nAlthough specifically discovered during this audit, the use of p2p technologies, in all\nlikelihood, is prevalent across the Institution. Because of the significant risks involved\nwith p2p technologies, industry computer security experts have devised some remedies\nfor enterprise networks. For example, industry experts recommend deploying an\nintrusion detection system to recognize pattern matching as an alert of large files transfers\nto identify potential file sharing activities. In addition, clear and accountable policies give\nnotice to system users about the dangers and bandwidth disadvantages associated with the\nuse of this technology.\n\nRecommendations\n\nWe made two recommendations to the Chief Information Oficer:\n\n1. Issue policies and guidance on the use of p2p technology for the Institution.\n\nManagement Comments\n\nAgreed. The Chief Information Officer plans to analyze safeguards for peer-to-peer\ntechnologies including instant messaging. The CIO plans to issue policies and guidance\nby July 2003.\n\nOfice of the inspector General Response\n\nThe CIO\'s actions are responsive to the recommendation. We will follow up with the\nDirector in July 2003 to obtain the status of this recommendation.\n\n2. Modify the SI network control points to identify large file transfers and potential file\nsharing activities in order to alert network administrators.\n\nManagement Comments\n\nAgreed. The CIO plans to upgrade the software in SInet routers by October 2003. These\nupgrades will allow the routers to recognize and restrict file sharing network activities.\n\nOfice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in October 2003 to obtain the status of this recommendation.\n\x0c3. We recommended that the Director, National Museum of the American Indian,\nperform periodic network and PC reviews to determine if p2p programs are being used\nand take appropriate administrative action when necessary.\n\nManagement Comments\n\nAgreed. NMAI\'s Information and Technology Resources Manager will issue guidance\nabout the use of p2p software and ensure periodic reviews check for misuse of p2p\ntechnology.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. We will follow up with the\nDirector in March 2003 to obtain the status of this recommendation.\n\x0cAppendix A. NMAI Server Security Configurations Compared to Industry Standards\n\x0cAppendix B. Electronic Data Archiving\n\n\n\n\n                                Containing                            Auto Archiving\n                             New York Back Ups                          Software\n                                                                                 NMAI-CRC\n                                                                                  Suitland\n    I                              Sun Microsvstems Box Runninn nix              Maryland\n\n\n\n\n                                                                             3\n                                     3\n     New York,\n     New York\n                                                                                            NMAl-\n                                                                                           Museum\nProcess For Auto -Archiving:                                                             Washington,\nI.NMAICRC, Suitland, Maryland performs a tape back u p .              Sewer Running Unixl.   DC\nThe back up i s stored on-site in a fireproof room. Using               Low End Machine\nAuto-Archiving software a digital copy is sent via an existing\ndigital connection to l o c a t i o ~ 2 (washington,\n                                          ~~1~       DC)\n\n2. NMAl Washington, DC receives a digital copy of NMAI-\nCRC back up. This back up is sent to the tape drive on the\nsewer, which received the digital copy of the back up. This\ncopy is then stored on site at NMAI, Washington,DC. On\nanother NMAl-Washington,DC sewer the daily back up of\nNMAl-Washington i s being backed up to tape, after the back\nup has completed a digital copy of NMAl-Washington is\nsent to location 3(NMAI-GGHC in New York City) via an\nexisting digital connection.\n\n3.NMAI-GGHC receives the digital copy of NMAI Washington,\nDC back up as well as NMAl CRC back up, both back up are\nsent to the tape drives and a separate copy of both back up\nis made and stored on site at NMAI-GGHC. A back up of\nNMAI-GGHC is backed up on tape and then a digital copy of\nNYAI-GGHC i s sent t o NMAlCRC via an existing digital\nconnection. \n\nThe digital copy of NMAI-GGHC is received at NMAlCRC \n\nand backed up to tape and stored on site at NMAI-CRC. A \n\ndigital copy of this back up from NMAI-GGHC is sent to \n\nNMAl-Washington, DC along with the digital back up of NMAl \n\nCRC. Using this suggested model NMAl would have a back \n\nup copy of all of their critical data stored at three d i r e n t \n\nlocations i n case of a disaster which destroyed or disabled \n\none of the NMAl facilities. \n\n\x0c  Date      January 6 , 2003\n    TO      Thomas D. Blair \n\n     cc     Dennis Shaw, Doug Evelyn, Jane Sledge \n\n From       W. Richard West \n\nSubject \t   Comments on Draft Report on Audit of Information System\n            Controls at the National Museum of the American Indian\n\n\n                Thank you very much for the opportunity to comment on the \n\n         Draft Report. Please find our written comments attached to this \n\n         memorandum. \n\n                I consider information and technology security to be an \n\n         important part of good management practice and this survey is \n\n         especially timely as we prepare for the opening of NMAI\'s new \n\n         museum on the National Mall. \n\n                 I very much appreciate this comprehensive review of our\n          information security program and your staff\'s efforts and\n          assistance. Let me express NMAI\'s sincere appreciation for the\n          timely and constructive manner of this review and knowledge and\n          experience your staff shared with us.          We value your\n          recommendations and take them seriously. The facts presented in\n          the report are accurate, I concur with all the recommendations,\n          and I present an action plan for implementation in the attached     ,\n\n          document.\n\n          Attachment \n\n\x0cA. System Security Confipurations\n\nRecommendation                                  Resmnse               Action \t                                               Tareet Date\n\n1. \t Use technical industry                    Concur            The Information and Technology Resources (ITR)\n     guidance to develop and                                     Manager, Jane Sledge, circulated the System Security\n     implement server and client                                 Configuration Summary and Results prepared by the\n     configuration settings.                                     Inspector General\'s representative, David Cole, to\n                                                                 technology staff and requested staff to review and update\n                                                                 security settings vulnerabilities noted in the document.\n\n                                                                 The ITR Manager will work with a soon to be hired\n                                                                 Technology Manager to issue a series of directives to\n                                                                 technology staff. The directives will include set account\n                                                                 lockouts, enable audit processes, disable or rename guest\n                                                                 accounts, and require all users to have passwords.\n                                                                 As part of this effort, NMAI will establish a process to\n                                                                 document server settings for hardware and software for\n                                                                 servers at NMAI locations and circulate this to\n                                                                 appropriate technology staff. These directives will be\n                                                                 incorporated into Service Level Agreements with OCIO.\n                                                                 Provisional actions will be set in place immediately.\n\n                                                                 Access to administrator group privileges will be limited\n                                                                 to network and system administrators, authorized\n                                                                 contractors, and key ITR staff.\n\n                                                                 NMAI users will be asked to read and sign statements\n                                                                 acknowledging compliance with SI Directive 93 1, Use of\n                                                                 Computers and Networks, August 5,2002.\n\n\n\n\'   NMAI is in the process of hiring a new Technology Manager who will assume on-going responsibility for these actions.\n\ns:linfonnation system controls audit 12-16-02 response\nJane Sledge Draft\n\x0c2. Define technology positions                Concur    NMAI has begun a process to review and revise all           July 2004\n   and include a delegation of                          technology-related positions and the duties assigned as\n   system security                                      part of a general reorganization of the Information and\n   responsibilities.                                    Technology Resources office. We anticipate this process\n                                                        to take approximately two years. It will also encompass\n                                                        preparation for the opening of the new museum on the\n                                                        National Mall for which we anticipate additional staff\n                                                        support in FY04. (See also our response to Section D,\n                                                        recommendation 3).                                          December 16,\n                                                                                                                    2002\n                                                        System security responsibilities will be written into new\n                                                        position descriptions and performance measures. The\n                                                        Inspector General\'s representative for computer security,\n                                                        David Cole, reviewed the position description for\n                                                        Technology Manager. Mr. Cole\'s suggestions were\n                                                        incorporated into the position description.\n\n                                                        The CIO, Dennis Shaw, intends to establish a standard\n                                                        position description for all SI Network Administrators.\n                                                        NMAI will adopt this when it is released.                   July 2004\n\n                                                        Other existing technology position descriptions will be\n                                                        revised to incorporate system security as part of the\n                                                        reorganization process.\n\n\n3. Develop a tailored technical               Concur    We will assess the security support needs of the museum February 28,2003\n   training program for                                 in conjunction with OCIO and work with OCIO to assess\n   technology staff.                                    overall training needs. NMAI\'s ITR Manager will review\n                                                        all technology staff position descriptions and develop an\n                                                        on-going security-trainingprogram.\n\n                                                        The Technology Manager will assess individual staff         May 30,2003\n\ns:/infomation system controls audit 12-16-02 response                                                                              2\nJane Sledge Draft\n\x0cm = = m m = m m m - = = m m m m m m m =                                                                                                         \n\n\n\n\n\n                                                             members\' Individual Development Plans as part of the IT\n                                                             Work Plan and evaluate performance and results at the        August 2003\n                                                             mid-year review.\n\n                                                             We will reconsider security training needs and set goals     October 2003\n                                                             for training money as part of the establishment of work\n                                                             plans for FY 04 fiscal year.\n\n       4. Develop and implement a       Concur               This task will be incorporated into the performance          March 2003\n          semiannual assessment                              review of the Technology Manager. The Technology\n          process for systems and                            Manager will request staff to apply the "Windows\n          network assets that includes                       Security Scoring Tool" on a quarterly basis and report the\n          server configuration                               results to the ITR Manager.\n          evaluations and network scans\n          based on industry standards.                       The Technology Manager will monitor and report on a\n                                                             quarterly basis to the ITR Manager compliance by             March 2003\n                                                             Systems Administrators to install service packs and\n W\n                                                             hotfixes.\n QI\n\n\n       5. Review and determine the                  Concur   As a matter of policy. all NMAI systems administrators       January 28,2003\n          necessity of the numerous                          will be requested by the ITR Manager\n          user accounts.                                       To investigate the feasibility of implementing\n                                                               application specific non-expiring passwords. Some\n                                                               applications such as Groupwise are beyond the control\n                                                               of NMAI. We will set regularly expiring (90 day)\n                                                               passwords to applications that support this capability.\n                                                               To provide all NMAI users with the password policy\n                                                               when setting up new users.\n                                                               To review all existing user accounts and delete\n                                                               accounts for which no user exists.\n\n\n\n\n       s l~nformat~on\n                   system controls audit 12-16-02 response                                                                                  3\n       Jane Sledge Dmfi\n\x0c6. Review the current system                    Concur          The Technology Manager will provide a monthly report\n   configurations and make                                      to the ITR Manager on the status of current systems\n   adjustments where necessary                                  configurations and plans for enhancing system security.\n   to enhance system security.                                  Systems security maintenance will be incorporated into\n\n\nB. Automated Information Systems Developments\n\nRecommendation                                   Resvonse            Action                                                                Target Date\n\n\n1. Define an NMAI sponsor                     Concur            In regard to NMAI\'s Collections Information System                    February 28,2003\n   and formally define a                                        (CIS): We established a staff team to develop\n   development                                                  requirements and select the CIS and we will name a\n   implementation team for the                                  development team, led by a newly established\n   collection management                                        Collections Information System Manager, in February\n   system, media information                                    2003. The CIS implementation team will include OCIO\n   management, and contact                                      staff and a contract Unix systems administrator.\n   management system.\n                                                                In regard to the Media Information Management System, June 6,2003\n                                                                NMAI will establish an implementation team when the\n                                                                Media Technology Working submits its\n                                                                recommendations to the CIO for inclusion in the\n                                                                Technology Reference Manual. We plan to acquire a\n                                                                system in Third Quarter FY03.\n\n                                                                In regard to the Contact Management System, pending                   February 28,2003\n                                                                formal approval of NMAl\'s Senior Management Group,\n                                                                Joan Andrews will be appointed to lead the Contact\n                                                                Management implementation team.\n\n  This will be one ofthe first actions requested o f the new Technology Manager. In the meantime, the Information and Technology Resources manager will as\nlead technology staffat the CRC, GGHC, and L\'Enfant Plaza to provide a report and update plans for system security enhancement.\n\ns:linformation system controls audit 12- 16-02 response\nJane Sledge Draft\n\x0c2. Require that current and       Concur            NMAI\'s ITR Manager has instructed staff to follow             December 12,\n   future development projects                      recently issued institutional guidance provided by            2002\n   follow the SI Life Cycle                         Technical Standard & Guideline IT-920-01 Life Cycle\n   Management Policy.                               Management Manual.\n\n\n\nC. Disaster Recoverv and Continuity of Ouerations Plan\n\nRecommendation                      Resoonse             Action\n\n\n1. We recommend that the          Concur            We note that OCIO plans to issue TSG IT-960-02,               January 4,2003\n   Director, National Museum                        Disaster Recovery and Contingency Planning in\n   of the American Indian,                          December 2002. The ITR Manager will review the\n   adopt and implement a                            Policy and discuss with staff how best to develop, adopt,\n   disaster recovery and                            and implement a Disaster Recovery and Contingency\n   continuity of operations                         Plan.\n   plan in accordance with SI\n   policies or current industry                     NMAI will appoint the new Technology Manager to               March 2 1,2003\n   standards.                                       oversee the development an NMAI Disaster Recovery\n                                                    and Contingency Plan.                                     %\n\n\n\n\n                                                    The ITR Manager will request the new Technology               July 25,2003\n                                                    Manager to implement the plan either as directed by the\n                                                    Policy document or by July 2003.\n\x0c1. Assign contract oversight        Concur   Unfortunately NMAI has not had sufficient           June 2003\n   responsibilities for technical            information and technology staff to dedicate to\n   contracts to qualified                    the support of its systems. In striving to open\n   information technology staff.             three buildings in ten years, NMAI dedicated a\n                                             large part of its technology resources to desktop\n                                             support staff. As part of a reassessment of its\n                                             information and technology staff, NMAI\n                                             understands and supports the urgent need to\n                                             provide more technical support for computer\n                                             applications managed independently by non-\n                                             technical staff. Nh4AI requested two new FTEs\n                                             in FY03 to strengthen this area. These two\n                                             positions should be filled by June 2003.\n\n                                             ITR staff will work closely with COTRs\n                                             managing technical projects to provide contract\n                                             oversight support for technical issues. ITR staff\n                                             will apply Life Cycle Management guidelines to\n                                             legacy systems.\n\n                                             We note that FARSIGHT does not commit or\n                                             expend funds. It is a "cuff record" financial\n                                             tracking system that enables NMAI management\n                                             to monitor and plan NMAI\'s budget and provides\n                                             functions not available in SFS. All financial\n                                             obligations take place within PeopleSofi, SI\'s\n                                             ERP.\n\x0cDefine and implement, with                     Concur     NMAI will review the existing contract for the      April 2003\nsupport from the Office of                                FARSIGHT vendor and, with support from the\nContracting, a contract                                   Office of Contracting, specify systems\nmodification for the maintenance                          maintenance requirements.\nof system support technology\ncontracts.\n\n2. \t Obtain the system          Concur                    System documentation will be requested              December 24,2002\n     documentation, including                             immediately and a change and configuration          March 28,2003\n     changes, from the FARSIGHT                           management process will be established by the\n     contractor and establish a                           end of March 2003.\n     change and canfiguration\n     management process for\n     future modifications.\n\n\n3. \t Perform an information                    Concur     NMAI began this task in November 2002. The    April 25,2003 draft\n     technology organization                              ITR Manager will present a draft proposal to  proposal\n     assessment to include                                NMAI\'s senior management group by April 25,\n     considering realigning                               2003. The proposal will be reviewed, revised, June 2003 Board of\n     technology positions under a                         and presented to NMAI\'s Technology Committee Trustees Review\n     central manager.                                     of its Board of Trustees in June 2003.\n\n\n\nE. \t Systems Facilities Physical Conditions\n\nRecommendation \t                                Reswnse   Action                                                     Target Date\n\n\n1. \t Relocate the copiers from the             Concur     Plans are already underway to relocate the copier   February 2003\n     computer rooms and relocate                          from the Network Control Center at the CRC to a\n     the routers and servers from                         different location.\n\ns:linformation system controls audit 12-16-02 response\nJane Sledge Draft\n\x0cr-  publicly accessible spaces.\n                                                         At the Research Branch, Bronx, plans are\n                                                         underway to put the router into a locked cabinet\n                                                         in the demark location.\n\n                                                         NMAI\'s L\'Enfant Plaza offices do not have a\n                                                         computer room to house the servers for Raiser\'s\n                                                         Edge and FARSIGHT. We will consider the\n                                                         feasibility of placing these servers in the CRC\n                                                         computer room, the OCIO computer room in\n                                                                                                            February 2003\n\n\n\n                                                                                                            May 2003\n\n\n\n\n                                                         A&I, or propose a non-public space at L\'Enfant\n                                                         Plaza.\n\n\n\n2. \t Examine staff access needs               Concur     Discussions are underway with GGHC                 May 2003\n     and storage requirements at                         management to determine alternative office and\n     the GGHC computer room                              storage areas for the Film and Video contractor\n     and develop controls to                             now sharing computer room space. NMAI\'s\n     prevent public access to the                        Deputy Director has tasked the ITR Manager and\n     system resources.                                   GGHC management to produce a new space plan\n                                                         to address these concerns.\n\n                                                         The video-conferencing equipment, now stored in    March 2003\n                                                         the GGHC computer room, will be moved to a\n                                                         new location.\n\n\n3. \t Permit the GGHC computer                 Concur     As stated above, we will move staff around to \n    May 2003\n     facilities to be used only for                      accommodate this recommendation. \n\n     maintaining computer \n\n     resources. \n\n\n\n\ns:linfomationsystem controls audit 12-16-02 response \n\nJane Sledge Drafl \n\n\x0c4. Establish a separate lock and              Concur    GGHC Security has been requested to install a\n   key at the Bronx location and                        new lock cylinder at the Research Branch, Bronx\n   identify appropriate staff to                        and discussions have taken place to identify\n   maintain the key.                                    appropriate staff to maintain the key.\n\n\n5. Install hand held extinguishers Concur               Technology staff are researching appropriate\n   in computer rooms.                                   hand-held fire extinguishers for NMAI\'s\n                                                        computer rooms. Fire extinguishers will be\n                                                        purchased in January.\n\n\n6. While awaiting SI policies on              Concur    The ITR Manager will speak with staff and issue\n   computer rooms, issue                                written guidance.\n   guidance to staff on the need\n   to maintain a safe working\n   environment and reinforce\n   more oversight of the\n   computer rooms.\n\n\n7. Implement a back-up and                    Concur    The CRC computer room is connected to the\n    emergency power supply to                           back-up generator and has UPS units in place.\n    secure NMAI system                                  Myro Rimyk, GGHC Facilities Manager, is\n    resources.                                          investigating whether the New York computer\n                                                        facilities can be tied into the back-up generators\n                                                        at the GGHC and Research Branch. Access to\n                                                        the back-up generator may be subject to GSA\n                                                        provisions for the Custom House Building. If\n                                                        access is not granted, NMAI will acquire 30\n                                                        minute UPS.\n\n\n\ns:linfomation system controls audit 12-16-02 response                                                        9\nJane Sledge Drafl\n\x0c8. \t Complete the necessary                   Concur      Myro Riznyk, GGHC Facilities Manager, is            July 2003\n     additions to the GGHC                                investigating the feasibility of installing drain\n     computer room and assess the                         pans in the GGHC computer room. Once storage\n     overhead plumbing situation.                         and staffing relocations decisions are made, the\n                                                          necessary additions to the GGHC computer room\n                                                          will be undertaken. The ITR Manager, as part of\n                                                          the emergency supplies, require plastic sheets to\n                                                          be available to drape over machines.\n\n\n9. \t Establish procedures and                 Concur      The ITR Manager will establish procedures and       January 2003\n     persons responsible for                              task staff with responsibility for maintaining\n     maintaining proper                                   proper housekeeping.\n     housekeeping.\n\n\n\n\nF. Isolated NT Network\n\nRecommendation \t                               Res~onse   Action                                                     Target Date\n\n\n1. \tWe recommend that the                  Concur         The ITR Manager will contact SI\'s technology        April 2003\n    Director, National Museum                             support contractor, Infostructures, and request\n    of the American Indian,                               contract support to migrate the Registration\n    eliminate the Windows NT                              Information Tracking (RITS) application to be\n    network.                                              accessible through the Novel1 network.\n\n\ns:linfomation system conlrols audit 12-16-02 response                                                                              10\nJane Sledge DraA\n\x0cG. \tPeer-to-Peer Technoloay\n\nRecommendation                                 Resuonse   Action                                                 Target Date\n\n\n     1. \t We recommend that the Concur                    The Information and Technology Resources         March 2003\n          Director, National                              manager will task staff to perform regular\n          Museum of the                                   network and PC reviews to determine if p2p\n          American Indian,                                programs are being misused. The Manager will\n          perform periodic                                issue guidance to staff about the use of p2p\n          network and PC reviews                          software to download copyrighted materials and\n          to determine if p2p                             will take appropriate administrative actions.\n          programs are being used\n          and take appropriate\n          administrative action\n          when necessary.\n\n\n\n\ns:/infomation system controls audit 12-16-02 response                                                                          11\nJane Sledge Draft\n\x0cAppendix D. Management Comments from Dennis Shaw, Chief Information Officer\n\n\n\n\n              Srnithsonian Institution                                                          Memo\n\nI             Office of the Chief Information Officer\n\n\n      Date January 9,2003\n        To Thomas D. Blair\n           Inspector General\n\n\n\n              Chief Information Officer\n\n    Subject   Response to the Inspector General\'s Draft Report on Audit of Information System\n              Controls at the National Museum of the American Indian\n\n              Thank you for the opportunity to comment on the draft audit report on the National\n              Museum of the American Indian\'s information system controls. We agree with the audit\n              findings and report recommendations directed at my ofice. Planned actions associated\n              with each recommendation are contained in the attachment.\n\n\n\n\n              Attachment\n\n\n              Aru & Industries Building Room 2361\n              WO lebrson Drive SW\n              Washington M:105604463 \n\n              101.343.1052 Telrphonr\n              lOZ.312.Z884 FU \n\n\x0c                                                                              Atcachrnent\n\n        Response to Audit Report Recommendations on NMAI\'s IS Controls\n\nRecommendation I : Issue policies and guidance on the use of p2p technology for the\nInstitution.\n\nResponse: Concur. The OClO will analyze options for implcmcnting adequate\nsafeguards for peer-to-peer technology including instant messaging. Once we ltave\ncompleted our analysis we will issue policies and guidance on the usc of peer-to-pccr\ntechnology by July 2003.\n\nRecommendation 2: Modify the S1 network control points to identify large file tr~nsfers\nand potential file sharing activities in order to alert network administrators.\n\nResponse: Concur. The OClO will upgrade the software in SInet routers (network\ncontrol points) by October 2003. The software upgrade wilI allow the routers to\nrecognize nctwork applications and restrict this application traffic.\n\x0c'